paul Posted August 25, 2006 Report Share Posted August 25, 2006 A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Prior to 2.6.15.5, the kerenl allowed local users to obtain sensitive information via a crafted XFS ftruncate call (CVE-2006-0554). Prior to 2.6.15.5, the kernel did not properly handle uncanonical return addresses on Intel EM64T CPUs causing the kernel exception handler to run on the user stack with the wrong GS (CVE-2006-0744). ip_conntrack_core.c in the 2.6 kernel, and possibly nf_conntrack_l3proto_ipv4.c did not clear sockaddr_in.sin_zero before returning IPv4 socket names from the getsockopt function with SO_ORIGINAL_DST, which could allow local users to obtain portions of potentially sensitive memory (CVE-2006-1343). Prior to 2.6.16.17, the a buffer overflow in SCTP in the kernel allowed remote attackers to cause a Denial of Service (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk (CVE-2006-1857). Prior to 2.6.16.17, SCTP in the kernel allowed remote attackers to cause a DoS (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters (CVE-2006-1858). Prior to 2.6.16, a directory traversal vulnerability in CIFS could allow a local user to escape chroot restrictions for an SMB-mounted filesystem via ".." sequences (CVE-2006-1863). Prior to 2.6.16, a directory traversal vulnerability in smbfs could allow a local user to escape chroot restrictions for an SMB-mounted filesystem via ".." sequences (CVE-2006-1864). Prior to 2.6.17, Linux SCTP allowed a remote attacker to cause a DoS (infinite recursion and crash) via a packet that contains two or more DATA fragments, which caused an skb pointer to refer back to itself when the full message is reassembled, leading to an infinite recursion in the sctp_skb_pull function (CVE-2006-2274). The dvd_read_bca function in the DVD handling code assigns the wrong value to a length variable, which could allow local users to execute arbitrary code via a crafted USB storage device that triggers a buffer overflow (CVE-2006-2935). Prior to 2.6.17, the ftdi_sio driver could allow local users to cause a DoS (memory consumption) by writing more data to the serial port than the hardware can handle, causing the data to be queued (CVE-2006-2936). The 2.6 kernel, when using both NFS and EXT3, allowed remote attackers to cause a DoS (file system panic) via a crafted UDP packet with a V2 lookup procedure that specifies a bad file handle (inode number), triggering an error and causing an exported directory to be remounted read-only (CVE-2006-3468). The 2.6 kernel's SCTP was found to cause system crashes and allow for the possibility of local privilege escalation due to a bug in the get_user_iov_size() function that doesn't properly handle overflow when calculating the length of iovec (CVE-2006-3745). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate Link to comment Share on other sites More sharing options...
Recommended Posts